FTC v. Epic Marketplace: It’s not paranoia if…
Remember that Rockwell song from the 80’s: “I always feel like somebody’s watching me…”? Chances are, while you were online, Epic Marketplace was. Earlier today the Federal Trade Commission (FTC) reached a settlement with Epic Marketplace that required that company to stop “datasniffing” websurfers’ browsing and destroy records gained by doing so. Find the Consent Order here.
According to the Complaint, Epic is owned and controlled by Epic Media Group, LLC., and acts as an intermediary between those who wish to sell online advertising space and those who wish to purchase such space – a network of at least 45,000 publishers that included, according to the Complaint, such sites as cnn.com, papajohns.com, redcross.com, and orbitz.com. By virtue of “cookies” which store data on a websurfer’s computer regarding what sites that surfer visited at what time Epic gathers (or, as mentioned below, “gatherED”) behavioral marketing information, ostensibly to help place ads effectively. Epic included code that exploited a common browser vulnerability to obviate the need for cookies and not only determined whether surfers had visited sites outside of its network, but also circumvented efforts to retain privacy by deletion of cookies. Going a step further, Epic used this information to categorize surfers, and then used those categories as part of its behavioral marketing.
By doing so, the FTC Complaint alleges that Epic engaged in “deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act” when it 1) misrepresented that it was only collecting information on websurfers’ history within its network, but 2) in fact was collecting information regarding sites outside its network, and 3) did not notify surfers or allow them to opt out. The Consent Order effectively amounts to an admission by Epic that it did exactly these things.
The events complained of by the FTC took place in 2010 and 2011, and the datasniffing was discovered in July 2011. Most major browsers have made some effort to close the exploited vulnerability, and also allow users to check a box indicating they do not wish to be tracked (the author is highly skeptical that this is even modestly effective). Affiliate marketers were already… displeased… with Epic Media Group, and some appear to be suggesting that Epic Media may be moving its operations to another company, and even that, as a result, the settlement doesn’t matter.
Still, this Consent Order means two things: For consumers, it means that the FTC isn’t totally asleep at the wheel – or wasn’t a year ago. While anyone who goes online without antivirus, antimalware, and virus protection is still basically betting for the digital equivalent of gonnaherpasyphilaids, at least some of their tax dollars are, or were, going somewhere worthwhile. For businesses, it means… the FTC isn’t totally asleep at the wheel. Along the same line as SPAM and the efforts to stem that practice by CAN SPAM, the FTC is signaling its willingness to force companies, particularly behavioral marketers, to be transparent in their methods, allow consumers to opt out, and leave people some last shred of privacy. Companies are well advised to re-examine their advertising and media practices in light of this recent development.